Nov 6, 2019
A new report issued by the US Department of Veterans Affairs and UL suggests that along with regulation, procurement policies at healthcare purchasing organizations will play an increasingly significant role in driving medical device cybersecurity risk management efforts.
The recent Cooperative Research and Development Agreement (CRADA) report examines cybersecurity risks posed by connected medical devices, and how device manufacturers and healthcare providers can better collaborate to effectively manage these risks.
The report takes into account various moving parts in the complex issue of managing cybersecurity risk within the Internet of Medical Things (IoMT), including the potential for healthcare providers and systems to establish more rigorous cyber standards and requirements as part of their connected medical device procurement processes. While device manufacturers and software developers prepare for compliance to evolving cybersecurity-related regulations from US FDA and other market regulators, pressure from healthcare delivery organizations (HDOs) and general purchasing organizations (GPOs) to demonstrate proper cybersecurity risk mitigation measures and controls will also increase for these companies.
VA oversees a healthcare network serving nine million patients in the US, and entered into the CRADA with UL in order to identify methods for more effective lifecycle management of connected devices while minimizing cyber risks and vulnerabilities.
During the two-year CRADA period, VA utilized UL’s UL 2900 set of cybersecurity standards for network-connected medical devices for both internal review and management of the department’s cyber-related procurement processes and procedures; and for evaluation of devices and software under consideration for procurement to determine adequacy of these products’ cybersecurity controls in the context of connected medical environments.
VA assessed an infusion pump from ICU Medical that had obtained certification to UL 2900-2-1, and found that procurement processes were actually accelerated. VA concluded that implementing UL 2900 provided benefits such as:
Given VA’s role as one of the largest healthcare providers and medical device purchasing entities in the US, the CRADA conclusions will likely drive HDOs to more carefully consider utilizing UL 2900 and other pertinent standards as cybersecurity becomes a bigger factor in organizations’ device procurement approaches. For manufacturers of connected medical devices and technologies, certification to such standards not only helps address cybersecurity regulatory requirements, but also meet procurers’ criteria for purchasing consideration.
Emergo by UL will provide additional analysis of the UL-VA CRADA report in the coming weeks.
URGENT/11 medical device cyber vulnerabilities prompt risk mitigation recommendations from US FDA
Cybersecurity compliance questions medical device manufacturers should be asking
New standard for medical device and software interoperability to help meet FDA cybersecurity requirements
EMERGO SUMMARY OF KEY POINTS: